Emerging Tech

Blog archive
Researchers patching cellphone leaks of personal data

Researchers patching cellphone leaks of personal data

When David Choffnes was a postdoc researcher at the University of Washington several years ago, he got curious about how his cell phone was managing network traffic. 

“I set up a VPN proxy for my phone, which let me see the traffic regardless of whether I was on a Wi-Fi or cell network,” Choffnes recalled.  “One of the first things I noticed that every word I typed to search in Google was being sent to Google unencrypted.”  While Google has since moved to encrypt search transmissions, it was a wakeup call for Choffnes. 

And since many smartphone apps continue to leak personal information – including user identifiers, locations and passwords – Choffnes, now an assistant professor at Northeastern University, decided to develop a service to detect and plug leaks.

What he and his team have developed is a cloud-based service called ReCon, which  monitors network traffic to and from a cellphone for plain text and applies machine intelligence algorithms to detect personal data.

Users run their cellphone traffic through a ReCon server over a VPN, which by itself greatly improves security. 

Software on the server monitors the plain text traffic for identifiable user data, which is then extracted and sent to the phones’ users so they can become more aware, Choffnes said.  “The other thing you can do is change the information being sent over the network so if users aren’t comfortable with what they see, they can adopt policies for changing the content of that traffic.” 

In early testing of ReCon with 31 mobile device users – 24 with iOS devices and 13 with Android devices -- the team found 165 cases of data being leaked. 

You might think that it should be up to the developers of the operating systems or the cell service providers to ensure against such leaks.  Unfortunately, said Choffnes, the few controls they give users to regulate what data their apps access are so complicated that they often go unused.

“Part of the motivation for this project is to make the leaks more transparent to average users, to provide some pretty clear obvious cases of what is being sent over the network and then allow [users] to make their decisions based on concrete examples, as opposed to permissions that are more focused for developers,” he said.

And while ReCon can’t stop an installed app from accessing or sending certain information, it can prevent the data from reaching other parties on the Internet. “Essentially, we can help users control where the information gets sent and how,” Choffnes said. 

To see which apps are sending data to what destinations, users log into the ReCon secure website, where tools are also available for controlling the data flow.

While the service is still being refined, it is available to users at no cost. Users can sign up for the service at http://recon.meddle.mobi/.  Bear in mind, however, that there is a waiting list, since Choffnes’ small team can’t keep up with the demand.

Interestingly, other recent research at MIT shows that roughly half the data being transferred to and from the most popular apps – and potentially charging users extra money on their data plans – has little or nothing to do with the user’s experience.  According to an MIT news release, researchers were not able to access the actual data in transmission, but they speculate that approximately half of it is devoted to delivering advertisements and gathering information for analysis. 

A Wal-Mart app tested by the team, for example, lets users scan the bar codes of products in Wal-Mart stores and retrieve their prices. What the users don’t know, however, is that the app is also sending data to a server that, according to the researchers, appears to be associated with eBay. When the researchers disabled that outgoing connection, there was no impact on the app’s behavior.

Posted by Patrick Marshall on Dec 01, 2015 at 2:18 PM


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected